Author Archive - Kyle Wilhoit (Senior Threat Researcher)

Recently, we shed some light on APT attack tools and how to identify them. Part of our daily tasks as threat researchers revolves around investigating APT actors, and the tools that they utilize to help better protect our customers. The purpose of this blog is to further investigate the tools that APT actors typically use and what they do with them.

How these tools are used

While many would think these tools are used during the initial compromise phase of an attack- that is not the case with this post. I will be focusing on the tools that are used after the initial compromise is attained. The following diagram illustrates where these tools are commonly used in a traditional APT lifecycle.

Figure 1. Traditional APT lifecycle

Step 1: The attacker sends malware to the victim. This can be done in many ways – an email message with a malicious attachment, a USB flash disk, or a compromised web site are all possibilities.

Step 2: The malware is executed on the affected system. This may require manual steps by the victim, or it could be done without any intervention using exploits.

Step 3: When the malware is run, it drops a backdoor such as STARSYPOUND or BOUNCER. These first stage tools push a backdoor to the attacker for later access. (These could be considered first stage tools). It allows the attacker to maintain persistence and get access to the system at a later time.

Step 4: The attacker then uploads tools to perform data exfiltration, lateral movement, and a litany of other tasks.

Tools overview

The tools listed below include some of the tools APT actors use on a daily basis. These tools are typically employed once the APT actor gets access to the victim’s machine via one of the first stage tools listed above. Keep in mind however, that these tools are not inclusive of first stage tools such as backdoors, Trojans, and other categorical tools.

In addition, this is not a complete listing of tools since that is impossible to create based on the ever-changing threat landscape. Many APT actors use custom coded applications that perform similar functionality, and thus may differ from those listed below. Use this list as a baseline of functionality to help identify similar tools in your environment and to demonstrate known tools that are used in common APT campaigns.

Just like other businessmen, scammers operate using certain business models. In my previous post, I wrote about the typical scammer, their trust model, and the strategies they use to get, hold, and sustain customers. In this post, we’ll look at their business model, and how users can avoid their schemes.

Scammers Business Model

While scammers typically don’t use a formalized business model, we can easily determine how these guys operate. This model is similar to traditional business models in that it focuses on gaining and keeping customers and sending referrals. Though this model may not be true to all operations/operators of scams, this template is based on the common behavior exhibited by these operators.

In this business model sample, scammers first scout for customers. Once they are able to ascertain these customers, they develop loyalty programs to keep them around, which include selling items in bulk. They also attempt to grow their customer base either through referrals or by verifying their fellow scammers (“back scratching”).

Figure 1. Sample scammer business model

We have seen this type of business model used several times in scams and continue to see its prevalence in 2013. In the 2013 security predictions, we stated that these sellers will become more motivated as 2013 progresses, and this is just further proof that we will continue to see this type of business development these coming years.

In my last blog post, I covered several topics around how cybercriminals use your stolen information and why these criminals want your information. That entry, along with this entry, is part of a blog series intended to cover the expanding economies in relation to cybercrime, as well as some facts and recommendations to help safeguard your data against information theft.

In the first part of the two-part intelligence brief series, I will tackle the existing “trust model” in the underground cybercrime arena and some profiling of the gateways/actors that sell these goods.

Information Theft Business Model

It’s no secret that scammers are out there to make a quick buck. However, what’s often not known or discussed is how they engage the market to sell their goods.

These scammers must first engage the market with their goods. They often reach out to Pastebin, underground forums, and several other sites designed to peddle their wares. Furthermore, they also use a popular tactic of posting their “ads” on legitimate forums and sites. This step can be considered the aspect of “gaining your customers”. The next step is establishing a pricing model to fit the marketplace.

Price Discrimination vs. Penetration Pricing

During the past five years, there have been a number of incidents outlining price discrimination on underground forums. Price discrimination exists when a provider sells identical goods or services at different prices for several reasons. There are realistically four degrees of price discrimination, all with varying discriminatory fashions.

However, in the past two years, there has been a shift away from price discrimination and to a more penetration pricing model. Penetration pricing is a tactic used by a seller to attract new buyers in multiple different ways.

In the penetration pricing model, scammers enter the market and sell their wares at a much lower price to gain market space, and then slowly increase their price until it meets market value with the other sellers. Many of the vendors participating in selling stolen goods enjoy a good market for selling these goods after using this model. Utilizing this will often lead to increased sales volume and higher inventory turnover.

This penetration pricing upswing has likely occurred as there were many new entrants into the underground marketplace selling goods. These new entrants weren’t following maximum price rules or by unique buyer attributes.

These scammers are also enjoying a fairly uninhibited marketplace since the ease of hiding their nefarious activities has dramatically improved. For those familiar, see onion routing, and that will easily explain one of the many ways these actors hide their tracks.

In passing, I recalled talking to my neighbor where I mentioned working in the area of information security. His next question quickly came out- “Why do these scammers want my information?” The more I’m asked this question, the more apparent it becomes that user information is highly valuable.

Would it be surprising to know that it would merely cost $5 (USD) to buy all of your personal information on underground forums and sites? Some of you may also be surprised to find out the information for sale isn’t just your name and address-it’s far more than that.

“Fullz”, as it is referred to in underground forums contain not just credit card numbers, names, and date of births. “Fullz” are typically delivered in one of several methods. First, it could be a text or .CSV file containing all of the information in a comma separated file. All of the details of the compromised individuals would be included in the file for easy perusal. In addition, “fullz” could be delivered via a portable database format, like a .MDF file for easy local database import. You can also find personal questions asked during account registrations as well as driver’s license information, social security number, and other information.

Just because these scammers are nefarious, it doesn’t mean they’re not entrepreneurial. For instance, one seller offers bulk discounts for orders as seen in figure 2.

These scammers also offer the sale of “dumps”, which is the raw data off the magstrip of your credit cards. In addition to dumps, they sell “plastics”, which are blank cards that are used for writing dumps too.

And finally, to make scamming even easier, attackers are selling direct logins for bank accounts as well as the transportation of high-end electronics. Bank accounts are being sold for direct access to the money- no more buying dumps and plastics, just use your bank login information and transfer the money.

High-end electronics are also peddled on the black market for reasonable prices. These scammers buy devices at retail price using stolen credit card information, and proceed to sell it at discounted rates online for cash.